From 3d745e63f68c0cc3563c1d80568e9fcf2064cbf8 Mon Sep 17 00:00:00 2001
From: Rob Winch <rwinch@users.noreply.github.com>
Date: Tue, 12 Sep 2017 22:07:12 -0500
Subject: [PATCH] HttpSecurityConfiguration applies all defaults

HttpSecurity headers is off by default and relies on
HttpSecurityConfiguration to enable it. This is more consistent with the
other operators
---
 .../web/reactive/HttpSecurityConfiguration.java      | 12 ++++++------
 .../security/config/web/server/HttpSecurity.java     |  5 ++++-
 .../config/web/server/HttpSecurityTests.java         |  2 +-
 3 files changed, 11 insertions(+), 8 deletions(-)

diff --git a/config/src/main/java/org/springframework/security/config/annotation/web/reactive/HttpSecurityConfiguration.java b/config/src/main/java/org/springframework/security/config/annotation/web/reactive/HttpSecurityConfiguration.java
index 941c39aff2..ca715cecf0 100644
--- a/config/src/main/java/org/springframework/security/config/annotation/web/reactive/HttpSecurityConfiguration.java
+++ b/config/src/main/java/org/springframework/security/config/annotation/web/reactive/HttpSecurityConfiguration.java
@@ -67,12 +67,12 @@ public class HttpSecurityConfiguration implements WebFluxConfigurer {
 	@Bean(HTTPSECURITY_BEAN_NAME)
 	@Scope("prototype")
 	public HttpSecurity httpSecurity() {
-		HttpSecurity http = http();
-		http.httpBasic();
-		http.formLogin();
-		http.authenticationManager(authenticationManager());
-		http.securityContextRepository(new WebSessionSecurityContextRepository());
-		return http;
+		return http()
+			.authenticationManager(authenticationManager())
+			.securityContextRepository(new WebSessionSecurityContextRepository())
+			.headers().and()
+			.httpBasic().and()
+			.formLogin().and();
 	}
 
 	private ReactiveAuthenticationManager authenticationManager() {
diff --git a/config/src/main/java/org/springframework/security/config/web/server/HttpSecurity.java b/config/src/main/java/org/springframework/security/config/web/server/HttpSecurity.java
index c9f88939ba..0f23d462eb 100644
--- a/config/src/main/java/org/springframework/security/config/web/server/HttpSecurity.java
+++ b/config/src/main/java/org/springframework/security/config/web/server/HttpSecurity.java
@@ -79,7 +79,7 @@ public class HttpSecurity {
 
 	private AuthorizeExchangeBuilder authorizeExchangeBuilder;
 
-	private HeaderBuilder headers = new HeaderBuilder();
+	private HeaderBuilder headers;
 	private HttpBasicBuilder httpBasic;
 	private FormLoginBuilder formLogin;
 
@@ -132,6 +132,9 @@ public class HttpSecurity {
 	}
 
 	public HeaderBuilder headers() {
+		if(this.headers == null) {
+			this.headers = new HeaderBuilder();
+		}
 		return this.headers;
 	}
 
diff --git a/config/src/test/java/org/springframework/security/config/web/server/HttpSecurityTests.java b/config/src/test/java/org/springframework/security/config/web/server/HttpSecurityTests.java
index f0cbab8c86..082b54949b 100644
--- a/config/src/test/java/org/springframework/security/config/web/server/HttpSecurityTests.java
+++ b/config/src/test/java/org/springframework/security/config/web/server/HttpSecurityTests.java
@@ -56,7 +56,7 @@ public class HttpSecurityTests {
 
 	@Before
 	public void setup() {
-		this.http = HttpSecurity.http();
+		this.http = HttpSecurity.http().headers().and();
 	}
 
 	@Test